Server-side virus & spam filtering

The SCS Corvid e-mail system features fully integrated antiSpam and antiVirus processing. These features are provided by "PureMessage," a commercial product from Sophos Corporation that scans all incoming mail for both forms of infection.

AntiSpam Services

Messages arriving at the SCS mail machines (whether destined for the Corvid servers or for an individual mail machine) are scanned by the PureMessage package for spam characteristics. PureMessage uses many different traits to identify spam, including:

Keywords and phrases

Identity of the sending site and user

Presence of attachments and the size of the message

PureMessage estimates the probabilty that a message is spam and, if that value exceeds 50%, adds an identifying line to the message headers. The new line(s) will always begin with "X-spam-Warning" and include the calculated probability of the message being spam.

Once the message is tagged with this header, it is delivered to the intended user. At that point, the user can either act on the X-spam-Warning or not. Typically, the user will want to either refile the message into their spam folder or discard it entirely. This can be done either through a Sieve script on the Corvid back end server, or through a mail filter in the e-mail client software.

By default, when SCS Facilities sets up a new Corvid account, we install a Sieve script to refile suspected spam into the user's "SPAM" folder. [Note the uppercase folder name] We strongly encourage users to inspect their spam folder periodically to insure that nonspam messages were not accidentally refiled there and to clean out old, known spam messages. We do not recommend that users automatically delete messages that are spam.

Reporting mistagged mail

You can report spam that gets through PureMessage to: <is-spam@labs.sophos.com>. Similarly, to submit false positives, send mail erroneously tagged as spam to: <not-spam@labs.sophos.com>. In either case, send the complete message as an attachment, thereby including all "Received:" headers, so that SophosLabs can analyze your sample.

To forward ("bounce") suspect email:

From Mozilla Thunderbird:

Select the spam sample

From the toolbar, choose "Message" > "Forward as" > "Attachment"

Add the appropriate address to the recipient list

Send the email

From Microsoft Outlook:

Create a new email message addressed to the appropriate address, given above.

Drag and drop your email sample from the inbox to the new message

Send your message

From other email clients:

Contact Sophos support before sending your sample

In general, use the "Forward as Attachment" strategy

Thunderbird users can simplify the submission process by installing the "mailredirect" plugin, which adds a new option to the client's menubar. The Macintosh Mail.App client provides a builtin "Redirect message" option, and Pine (on Fedora-based Linux platforms) also offers bounce functionality.

AntiVirus Services

In a manner similar to the antiSpam services, the PureMessage antiVirus service scans all incoming mail for known virus signatures (which list is updated regularly). On detecting a virus, PureMessage adds the term "[PMX:Virus]" at the beginning of the message's "Subject:" header. The virus part of the message is then removed, and an explanatory text is added to summarize what happened. Any "nonviral" message text remains unchanged.

By default, messages that have been detected as having a virus are not deleted or refiled, since the viruses have been removed and the messages are no longer dangerous.

This site is maintained by SCS Computing Facilities; send
comments to help@cs.cmu.edu.